Today, everyone must go through arduous certification and testing programs to create certifiable platforms that are both secure and contain working code. To address this complicated process, the OCF certification program continues to evolve and improve. One of the ways in which it continues to grow involves the testing and certification of modules for inclusion in devices whether they are a server or client. An OCF-capable module is not a complete end-product. However, it is designed to meet all the OCF certification requirements and functionality that can be included as part of an end-product. In this case, the modules we are referring to are sensors and actuators. As a result, the OCF recently began the process of certifying sensors and actuators to address the market demand for lower cost devices in the network.
By Mark Walker, Director, Technology Policy at CableLabs
One of the main pillars of the Open Connectivity Foundation (OCF) is security. Security is foundational to the sustained growth and adoption of IoT. Without sufficient security, connected devices pose a risk to end users and networks alike, providing ready fodder for nefarious actors to exploit. As a foundation of more than 400+ members, the OCF is continuously and tirelessly striving to create secure, reliable, and interoperable IoT for all. One of the many ways in which we are doing this is working with other organizations and providing our expertise and input to help drive increased IoT security, including the recent C2 Consensus on IoT Devices Security Baseline Capabilities, released by the Council to Secure the Digital Economy (CSDE) and spearheaded by the Consumer Technology Association (CTA).
This is the second part in a two-part series highlighting IoT security issues and how the OCF addresses them. This blog will cover the suggested security capabilities laid out by NIST that the OCF specification includes and will continue to build upon, ensuring a secure, interoperable IoT around the world.
During the Open Connectivity Foundation (OCF) face-to-face meeting this summer in New Orleans, Louisiana, Michael Fagan, a cybersecurity specialist from the National Institute of Standards and Technology (NIST), spoke to OCF members about NIST’s ongoing work to improve the security of Internet of Things (IoT), including the development of a core set of security capabilities applicable to all IoT devices. NIST’s mission includes promoting U.S. innovation and industrial competitiveness by advancing measurement science, standards, and technology in ways that enhance economic security and improve our quality of life.
To help drive increased IoT security, NIST develops guidance for industry and the public sector in the form of reports and other publications and through its National Cybersecurity Center of Excellence (NCCoE), which leverages a collaborative model to develop practical solutions to pressing cybersecurity issues. In particular, NIST is currently developing a report (“Core Cybersecurity Feature Baseline for Securable IoT Devices: A Starting Point for IoT Device Manufacturers,” NISTIR 8259 (Draft)) that provides guidance to manufactures on the core set of security capabilities that should be included in all devices. These capabilities range from logical and physical device identification to the ability for IoT devices’ software and firmware to be updated via a secure, controlled, and configurable mechanism.
So how is the OCF going to implement these capabilities? We already have. Of the six core IoT baseline capabilities identified in the draft NIST report, OCF currently supports five, with plans to cover the remaining one in the near future. These capabilities include:
This is the first of a two-part series highlighting IoT device security issues and how the OCF is addressing them.
When people talk about the Internet of Things (IoT), they are referring to the ability to add internet connectivity to a system of interconnected devices. Each device, or “thing,” comes out of the box with a unique identifier and the ability to automatically transfer data over a network. However, allowing devices to connect to the internet opens them, and the network, up to a variety of serious vulnerabilities if they are not suitably protected. Because IoT is a relatively new market, many product designers and manufacturers are more interested in getting their new products to market quickly rather than taking the necessary steps to build lasting security into their products from the beginning.
Since the IoT has grown exponentially over the past few years, security has been under the microscope, especially after high profile instances where a common IoT device was used to break into and attack the larger network. For instance, cybercriminals hacked a casino through its internet-connected thermometer in an aquarium in the lobby of the casino. Then, the hackers exploited a vulnerability in the thermostat to get a foothold into the network. Once there, they managed to access the high-roller database of gamblers and pulled it back across the network, out the thermostat, and up to the cloud. This is just one of many examples underscoring how employing security measures is crucial to making sure networks with IoT devices connected to them are safe.
The Open Connectivity Foundation (OCF) is dedicated to ensuring secure interoperability for consumers, businesses and industries by delivering a standard communications platform, a bridging specification, an open source implementation, and a certification program allowing devices to communicate regardless of form factor, operating system, service provider, transport technology, or ecosystem. Our aim is to get industry consolidation around a common, interoperable approach to connect all future devices for the IoT. The member companies involved in OCF believe that secure and reliable device discovery and connectivity is a foundational component in enabling the IoT. The good news is that this is already underway.
The OCF Specifications are the answer to the as-yet-unsolved secure interoperability issue the IoT industry faces today. The Specifications provide the secure communication structure which is a standard model for applications and services to interact with IoT resources. They map to multiple transports and bridge to other IoT ecosystems. Finally, they leverage existing industry standards and technologies, provide connections between devices, between devices and the cloud, and manage the flow of information among devices.
OCF-Certified products give end users choice in purchasing. Consumers aren’t dependent on one particular brand to ensure the products all work together, right out of the box. With the knowledge that security has been built into OCF-certified devices during manufacturing, consumers can rest easy knowing their network is secure from any vulnerabilities. This combination of ease and security offers an IoT experience that simply improves everyday life.
In the second blog in this two-part series, we’ll be examining the suggested security capabilities laid out by the National Institute of Standards and Technology (NIST) that the OCF Specification includes and will continue to build upon, ensuring a secure, interoperate IoT around the world.
By Betty Zhao, Haier U+
The OCF China Forum held it’s first event this past May, graciously hosted by the China Electric Institute (CEI) in Guangzhou, China. The event saw a great turnout, with 112 attendees from more than 70 companies.
As participants of this kick-off event were new to the OCF, the goal was to give a high-level overview of IoTivity and OCF, including our core goals, implementations, and security aspects. We hoped attendees would leave with the impression that OCF is a viable solution and be motivated to learn more about the Foundation.